Help Center> GaussDB(for MySQL)> Getting Started> Step 2: Connect to the DB Instance> Connecting to a DB Instance over a Private Network> Configuring Security Group Rules
Updated on 2024-01-18 GMT+08:00
View PDF

Configuring Security Group Rules

Scenarios

A security group is a collection of access control rules for ECSs and instances that have the same security requirements and are mutually trusted in a VPC. To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access instances.

Check whether the ECS and instance are in the same security group.

  • If they are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
  • If they are in different security groups, you need to configure security group rules for the ECS and instance, respectively.
    • Instance: Configure an inbound rule for the security group to which the instance is associated.
    • ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all outbound traffic is allowed in the security group, you may need to configure an outbound rule for the ECS to allow all outbound packets.

This section describes how to configure an inbound rule for a DB instance.

For details about the requirements of security group rules, see Adding a Security Group Rule in the Virtual Private Cloud User Guide.

Precautions

The default security group rule allows all outbound data packets. If an ECS and an instance are in the same security group, they can access each other. When a security group is created, you can configure security group rules to control access to and from instances associated with that security group.

  • By default, you can create up to 500 security group rules.
  • Too many security group rules will increase the first packet latency. You are advised to create up to 50 rules for each security group.
  • To access an instance from resources outside the security group, you need to configure an inbound rule for the security group associated with the instance.

To ensure data and instance security, use permissions properly. You are advised to use the minimum access permission, change the default database port 3306, and set the accessible IP address to the remote server's address or the remote server's minimum subnet address to control the access scope of the remote server.

If you use 0.0.0.0/0, all IP addresses can access instances associated with the security group.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click in the upper left corner of the page, choose Databases > GaussDB(for MySQL).
  4. On the Instances page, click the instance name to go to the Basic Information page.
  5. Configure security group rules.

    In the Network Information area on the Basic Information page, click the security group name next to the Security Group field.

    Figure 1 Configuring a security group

  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure required parameters and click OK.

    You can click to add more inbound rules.

    Figure 2 Adding inbound rules

    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Network protocol for which the security group rule takes effect.

    • Currently, the value can be All, TCP (All ports), TCP (Custom ports), UDP (All ports), UDP (Custom ports), ICMP, GRE, or others.
    • All: indicates all protocol ports are supported.

    TCP (Custom ports)

    Port: the port over which the traffic can reach your DB instance.

    When connecting to the instance through a private network, enter the port of the instance.

    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • All ports: Leave it empty or enter 1-65535.

    Type

    Currently, only IPv4 and IPv6 are supported.

    IPv4

    Source

    Source of the security group rule. The value can be a security group or an IP address.

    xxx.xxx.xxx.xxx/32 (IPv4 address)

    xxx.xxx.xxx.0/24 (subnet)

    0.0.0.0/0 (any IP address)

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The description can contain up to 255 characters and cannot contain angle brackets (<>).

    -

    Operation

    You can replicate or delete a security group rule. However, if there is only one security group rule, you cannot delete it.

    -